Definition
The Noise Protocol handshake is the mandatory encryption and authentication step that opens every Stratum V2 connection. Before a single mining message crosses the wire, miner and server complete a cryptographic handshake built on the Noise Protocol Framework; only after it succeeds does the actual work protocol begin. This is one of the starkest upgrades over Stratum V1, whose plaintext JSON-RPC traffic could be read, redirected, or rewritten by anyone sitting on the path — an ISP, a compromised router, or a malicious hotspot. Documented hashrate-hijacking attacks against V1 worked precisely because nothing authenticated the pool and nothing protected the jobs in transit. Stratum V2 closes that hole at the transport layer, before the mining conversation even starts.
The Noise_NX pattern, act by act
Stratum V2 specifies the Noise_NX_secp256k1_ChaChaPoly_SHA256 pattern. In Noise shorthand, "N" means the initiator (the miner or proxy) carries no static key of its own, and "X" means the responder (the server) transmits its static key during the handshake. It plays out in two acts. In act one, the client generates an ephemeral keypair and sends its public key — 64 bytes, encoded with ElligatorSwift so the bytes look pseudo-random to a passive observer instead of screaming "elliptic-curve point." In act two, the server replies with its own ElligatorSwift-encoded ephemeral key, performs an ephemeral-ephemeral Diffie-Hellman exchange, then sends its static public key encrypted, followed by an encrypted SIGNATURE_NOISE_MESSAGE: a small certificate carrying a version field, a validity window (valid_from and not_valid_after timestamps), and a 64-byte BIP340 Schnorr signature over those fields plus the server's static key.
The Pool Authority key
That signature is what turns encryption into authentication. It is verified against a Pool Authority public key distributed out-of-band — embedded directly in the connection URL, as in stratum2+tcp://pool.example.com:34254/[base58check-encoded authority key]. Because the miner already holds the authority key before connecting, a man-in-the-middle cannot substitute its own server key without failing signature verification. Compare that with V1, where a miner has no cryptographic way to know it reached the real pool at all. The design is a deliberately minimal two-level PKI: one authority key signs short-lived server certificates, no certificate authorities or TLS stack required.
What runs after the handshake
Once act two verifies, both sides derive symmetric sending and receiving keys and switch to ChaCha20-Poly1305 AEAD encryption with an incrementing nonce counter. Every subsequent frame is encrypted and carries a 16-byte Poly1305 authentication tag, so tampering is detected, not just hidden. Because the session keys derive from ephemeral keypairs generated per connection, the channel has forward secrecy: capturing traffic today and stealing a server key tomorrow decrypts nothing. The primitives are deliberately Bitcoin-native — secp256k1 for ECDH, SHA-256 for hashing, BIP340 Schnorr for the certificate — so an implementation can lean on the same libraries a Bitcoin node already trusts. Operationally the whole exchange costs almost nothing: two messages at connection time, a few hundred bytes, and symmetric ciphers fast enough that even a proxy terminating hundreds of devices barely notices the overhead.
Why it matters on your rack
For a home or small-fleet operator, the handshake means your shares, worker names, and job flow are no longer legible to your ISP or anyone on your LAN, and your hashrate cannot be silently redirected mid-session. Every Stratum mining channel rides inside this encrypted envelope, and the miner-side transaction choice negotiated through the Job Declaration Protocol inherits the same protection. Firmware support is the practical gate: BraiinsOS+ ships native Stratum V2 on industrial Antminers, and AxeOS/ESP-Miner v2.14.0+ brought native SV2 to the Bitaxe in June 2026, while most other firmware still speaks V1 only — one more reason the open-firmware path is the sovereign one.
In Simple Terms
The Noise Protocol handshake is the mandatory encryption and authentication step that opens every Stratum V2 connection. Before a single mining message crosses the wire,…
